Critical vulnerabilities allow remote attackers to perform Remote Code Execution. The other bulletins which are marked as important allow Remote code execution and Elevation of Privilege.

One Zero day vulnerability is addressed in MS16-154 (CVE-2016-7892) addresses a zero-day flaw in Adobe Flash Player which allows attackers lead to arbitrary code execution. It is an use-after-free vulnerability, which has been used in limited targeted attacks against users running the 32-bit version of IE on Windows.